1. What is the minimum viable documentation standard for OSINT collection artifacts? Select the answer that includes ALL required elements from Lesson 4.
Correct. All four elements are required: UTC timestamp (to the minute), exact query or method used, raw output preserved (screenshot plus source HTML/JSON), and explicit chain of inference linking evidence to finding.
Incorrect. The four required elements are: UTC timestamp to the minute, exact query or method used, raw output preserved, and explicit chain of inference connecting raw evidence to the stated finding.
2. In graph analysis, a "chokepoint" node is one that:
Correct. Chokepoints are defined by their graph position — high fanout to downstream assets — not by vulnerability severity or freshness. A central SSO provider or domain controller is a classic chokepoint.
Incorrect. Chokepoints are defined by graph topology — the node whose compromise cascades access to the most downstream assets, regardless of individual vulnerability profile.
3. What does the HideMyAss (2011) and IPVanish (2017) case evidence establish about commercial VPN "no logs" policies?
Correct. Both documented cases show that marketing claims about log retention did not prevent law enforcement cooperation. VPN providers are subject to legal process in their jurisdiction regardless of their privacy policies.
Incorrect. Both HideMyAss and IPVanish produced detailed connection logs to law enforcement despite advertising no-logs policies. The business model and legal exposure of VPN providers makes reliance on marketing claims operationally unacceptable.
4. When using AI to draft finding blocks, which type of task produces the most reliable output?
Correct. AI excels at structured transformation tasks — taking data in one form and producing it in another with well-defined criteria. These tasks produce the most reliable and usable output.
Incorrect. Structured transformation — converting raw tool output into formatted findings per a defined template — is where AI produces the most reliable output. Prediction and legal judgment are outside its reliable capability.
5. What did Italy's data protection authority Garante do in 2023 regarding ChatGPT, and what OSINT implication did this establish?
Correct. The Garante action highlighted that AI query logs — including the target names and sensitive details investigators type — are treated as data records subject to data protection law and legal process.
Incorrect. Garante temporarily suspended ChatGPT specifically over data retention and personal data processing concerns — establishing the principle that AI query logs are legal records that investigators must account for in their operational security planning.
6. The U.S. GAO's post-mortem on the Equifax 2017 breach cited which specific failure as a root cause?
Correct.
The GAO cited incomplete enumeration of internet-accessible systems as the root cause that allowed the patch to be applied to the wrong network segment.
7. The EFF's Panopticlick research demonstrated what about browser fingerprinting?
Correct. The Panopticlick project showed that browser parameters — user agent, installed fonts, screen resolution, TLS parameters, WebGL signature — create a unique fingerprint for most users that persists across sessions without cookies.
Incorrect. Panopticlick demonstrated that over 80% of browsers have unique fingerprints based on technical parameters alone — no cookies required. VPNs do not affect this because the fingerprint is assembled from browser properties, not IP address.
8. Deconfliction of an AI-generated operational target list must be performed by a human because:
Correct. Scope enforcement is an irreducibly human responsibility. The model generates targets from OSINT without knowledge of what the client has authorized — only a human with the ROE document can perform that boundary check.
Incorrect. AI scope blindness is the core issue: models generate targets based on what exists and what scores high — they have no mechanism to know what is authorized in a specific engagement's rules of engagement.
9. The 2013 Georgetown/SRI research on Tor traffic correlation attacks found what?
Correct. The research demonstrated that Tor is not appropriate as a sole anonymization control against well-resourced nation-state adversaries who can influence relay selection through controlling a significant minority of the network.
Incorrect. The Georgetown/SRI research found that controlling just 10% of Tor relays was sufficient to deanonymize 80% of users within six months through statistical traffic correlation — a significant finding for investigators whose threat models include nation-state actors.
10. The 2018 Marriott/Starwood breach cost over $600 million in total. What is the lesson's OSINT-relevant point about this breach?
Correct. The legacy Starwood systems running unpatched with exposed management interfaces were passively discoverable — a quantified risk report at the time would have been very different from a qualitative Critical label.
Incorrect. The lesson's point is that the pre-breach indicators were discoverable via passive OSINT — illustrating why quantified risk treatment in recon reports matters more than qualitative severity labels.
11. Hunter.io's Email Finder function operates by:
Correct. Hunter.io's Email Finder uses the organisation's confirmed email format (derived from indexed addresses) to predict the most likely address for a given name and domain.
Incorrect. Hunter.io uses the confirmed format pattern from its indexed database of public web data to predict addresses — it does not probe SMTP servers or access Active Directory.
12. The SolarWinds case illustrates which key principle of advanced target prioritization?
Correct. SVR/APT29's selective activation of high-value targets from a much larger pool of compromised hosts is a real-world demonstration of intelligence-driven prioritization conserving operational bandwidth.
Incorrect. The defining characteristic of the SolarWinds operation was extreme selectivity — pre-scored prioritization guided which of 18,000 compromised installations received active follow-on exploitation.
13. Why should an operational target list be maintained as a "living document" with a change log during an engagement?
Correct. Engagements are dynamic — recon-phase intelligence becomes stale as operations proceed. A change-logged living document ensures operators always work from current intelligence rather than a static snapshot.
Incorrect. The target list must be living because engagements generate new intelligence — hosts change state, credentials produce unexpected access, and new assets are discovered during lateral movement. The list must track reality.
14. The Marriott-Starwood breach illustrates acquisition drift. What made the compromised Starwood system invisible to Marriott's security team?
Correct.
The system was invisible because it was never added to Marriott's inventory or monitoring scope post-acquisition — the canonical acquisition-drift failure.
15. Which of the following is classified as an ACTIVE reconnaissance method (out of scope for passive OSINT)?
Correct. nmap port scanning sends packets directly to target systems, creating log entries — it is definitionally active reconnaissance.
Of these options, only nmap port scanning is active — it sends packets to target systems. CT log queries, LinkedIn review, and WHOIS lookups generate no signals on target infrastructure.
16. A CNAME record for blog.target.com resolves to target.wpengine.com . What does this fingerprinting signal confirm?
Correct. A CNAME to *.wpengine.com is definitive evidence of WP Engine managed WordPress hosting. This also implies WordPress as the CMS and WP Engine's specific CDN and security stack.
Incorrect. A CNAME resolving to *.wpengine.com definitively identifies WP Engine as the managed WordPress host. WP Engine actively maintains its DNS so this is not a takeover scenario — it's an active, claimed resource.
17. The 2013 Target breach traversal path went through which intermediate entity?
Correct. Fazio Mechanical's legitimate-but-poorly-isolated remote access became the traversal path. The vendor-client relationship was publicly listed on Fazio's own website — discoverable through OSINT graph analysis.
Incorrect. The breach traversed Fazio Mechanical Services — an HVAC vendor whose remote monitoring access to Target's network was not properly segmented from the payment environment.
18. What is the primary operational security advantage of using a locally-hosted AI model for sensitive OSINT analysis?
Correct. The key operational security benefit is complete data isolation — locally-hosted model queries exist only on the investigator's hardware and generate no records accessible to third parties through any channel.
Incorrect. The primary advantage is data isolation: no external network transmission, no third-party log retention, no vulnerability to legal process against a provider. Prompt injection and model quality are separate considerations.
19. User enumeration vulnerabilities in login systems allow attackers to:
Correct. User enumeration exploits systems that give different responses (error message text, response timing, HTTP status) depending on whether an account exists — allowing confirmation of valid email addresses without authentication.
Incorrect. User enumeration exploits differences in system responses (different error messages, response times, or status codes) to confirm whether a specific email address has a registered account — without requiring a valid password.
20. Why does Wappalyzer's detection of "WordPress 6.2.1" matter more for CVE correlation than simply detecting "WordPress 6"?
Correct. Security patches are delivered in minor and patch releases. WordPress 6.2 might have CVE-X while 6.2.1 patches it. Without the patch version, you cannot determine whether the specific fix has been applied.
Incorrect. Minor and patch version numbers matter enormously for CVE correlation because individual security fixes are delivered at that granularity. Version 6.2 and 6.2.1 may have completely different CVE exposure profiles.